generalnats

Configure TLS on a NATS server

You can secure the NATS server connections by enabling TLS, that way, all the communications between the server and its client will be encrypted. To enable TLS, follow the instructions below:

  • Install the Lego client.

  • Configure and install a Let’s Encrypt certificate for your domain.

  • Link the new TLS certificate and certificate key file to the correct locations:

      $ sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/nats/conf/nats-server.crt
      $ sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/nats/conf/nats-server.key
    
  • In the /opt/bitnami/nats/conf/nats-server.conf file, edit the “tls” section. Modify these values from:

      # tls {
      #    cert_file: ""
      #    key_file: ""
      #    timeout:    2
      #  } # end-tls
    

    To:

      tls {
          cert_file: "/opt/bitnami/nats/conf/nats-server.crt"
          key_file: "/opt/bitnami/nats/conf/nats-server.key"
          timeout: 2
      }
    
  • Restart NATS:

      $ sudo /opt/bitnami/ctlscript.sh restart nats
    
  • To check if TLS is working, use a client for sending a message over TLS as shown below:

    NOTE: Check the Connect to NATS page to learn how to use a Golang client to write a simple NATS client.

      $ nats-pub -s tls://nats:PASSWORD@127.0.0.1:4222 -reply Hi SomeSubject "Hi everyone"
      Connected to NATS server: tls://127.0.0.1:4222
      Published [SomeSubject] : 'Hi everyone'
    
Last modification December 21, 2022